4
What is ABFAB? Federated Identity for AuthN/AuthZ for any application/service Designed to take the best of breed of existing technologies, giving: – Security – Flexibility / wide scope – Ease of integration – Scaling

8
AuthZ over AAA EAP is an authn protocol What about authz? RADIUS /RadSec enables authz to be separate from authn – Directly, but may be limited (RADIUS attrs) ABFAB also defines SAML over AAA for finer- grained, flexible, authz information

19
Overview An ABFAB-style mechanism seems appropriate – Decoupled AuthN/AuthZ from core protocol In a way that is flexible and extensible – Could use GSS-EAP directly – but thats built for our application/service layer use cases – Or could use a custom ABFAB mechanism that better fits IoT requirements i.e. GSS-less ABFAB E.g. EAP for authn, DTLS

20
ABFAB++ EAPs decoupling of credential types and trust establishment from rest of system ABFAB-style architecture – Separate out AuthN from AuthZ Flexibility about client and AuthZ server. Programmatic way of approaching AuthZ (AAA attributes)